Every day I experience life in the world of healthcare IT, supporting 3000 doctors, 18000 faculty, and 3 million patients. In this blog I record my experiences with infrastructure, applications, policies, management, and governance as well as muse on such topics such as reducing our carbon footprint, standardizing data in healthcare, and living life to its fullest.

Friday, April 27, 2012

As IT departments throughout the country work to protect the privacy of and ensure the data integrity of patient records, it's important to understand the threats we all face.

Websense has issued their 2012 threat report, which I recommend you download and read (it's free)

You'll discover that in 2012
• 82% of web-based malware is hosted on compromised legitimate hosts
• 55% of data-stealing malware communications are web-based
• 43% of the activity inside of Facebook is categorized as streaming media
• 60% of phishing attacks are hosted in the United States
• 36% of malware is hosted in the United States

IT departments are challenged with protecting security with sometimes unpopular policies and difficult to use technologies. It's very cool to see the 2012 threat report which validates the work we have to do.

Thursday, April 26, 2012

Last week, Kathy's oncologists made the decision to stop Taxol chemotherapy permanently because Kathy has lost so much function in her hands and feet. Yesterday Kathy had a diagnostic mammogram and breast MRI to evaluate the impact of her treatment on the tumor. We'll now move to the next phase of treatment decision making. Will she benefit from any additional chemotherapy or can we move on to surgery, either lumpectomy or mastectomy?

It's been three weeks since Kathy last received Taxol and sensation is beginning to return to her 4th and 5th fingers. Her thumbs, 2nd and 3rd fingers, and palms are still too numb to feel a pin prick. Taxol affects each patient differently. The degree of numbness, the recovery between treatments, and the amount of permanent disability are highly variable. Kathy's clinicians believe she is among the most sensitive patients to Taxol.

Chemotherapy is not a precise science. There is no controlled trial that suggests 5 cycles of Taxol are insufficient and 9 cycles are perfect. For Kathy, the 5 cycles she received may have given her the best balance of benefit and risk.

Given that chemotherapy was stopped, an objective analysis of the tumor is important. Does she have residual cells or has all 5 centimeters of the tumor disappeared?

Here's her mammography report:

Left breast with two clips, no visible mass, left axilla scar, skin thickening
Impression - resolution of tumor mass since 12/2011

The radiologist reading the study called the result "miraculous"

We'll have an interpretation of her MRI tomorrow.

Our next step is to confer with her care team and decide if there is any benefit to additional chemotherapy, such as a final cycle of Adriamycin/Cytoxan. Kathy's hair is beginning to grow back (described by her as gray/white peach fuzz) and her body is starting to recover from weeks of intravenous poisons. Her liver enzymes were elevated modestly last week, likely due to the Taxol, providing further evidence that chemotherapy drugs are not benign. She'd prefer to close the chemotherapy chapter and move on to surgery as soon as possible. During this entire process, it was not the loss of a breast that was her greatest concern, but the cumulative effect of chemotherapy on her mind, body, and spirit. It would be good to declare the chemotherapy process finished.

In the upcoming days, we'll finalize a go forward plan. It may be that lumpectomy in May followed by radiation this Summer will be our final steps on this journey. More to come!

Wednesday, April 25, 2012

I recommended five priorities to create a foundation for care management and population health:

1. Universal adoption of EHRs - every clinician in an ACO needs to record data electronically, ideally using the same EHR vendor. If not the same EHR, then using common pick lists/vocabularies enables data to be comparable across practices. At BIDMC we created a model office workflow to ensure data is recorded by individuals with the same role at the same time in the same processes using the same value sets.

2. Healthcare Information Exchange - data should be shared among caregivers for care coordination and panel management. Approaches can include viewing data in remote locations, pushing summaries between providers, or pulling summaries from multiple sites of care. BIDMC has created novel approaches to secure data sharing as well as participated in many federal and state HIE pilots.

3. Business Intelligence/Analytics - once data is collected and shared, it needs to be analyzed retrospectively to identify gaps in care and prospectively to ensure patients receive the right care at the right time during their encounters with clinicians. BIDMC has worked with the Massachusetts eHealth Collaborative to create a community-wide quality data center as well as piloted popHealth to support our analytic needs.

4. Universal availability of PHRs - engaging patients and families in their care, ensuring communication of care plans and achieving seamless handoffs, is essential to keeping patients well. BIDMC has offered comprehensive PHRs to all of its patients since 1999.

5. Decision Support Services - care management requires alerts, reminders, pathways, and guidelines. Ideally, all members of the care team will receive decision support inside their electronic record based on enterprise rule sets. At BIDMC, we've used the concept of Decision Support Service Providers to to turn data into knowledge and wisdom inside our EHRs and web applications.

Of these five tactics, the biggest challenge is defining the care management rules - what conditions, wellness measures, home care interventions, best practices, and evidence should be incorporated into the point of care and analytic systems? Yesterday, at the BIDMC Clinical IT Governance Committee, we agreed to to charter a working group of experts to set these priorities so that our care management strategy is well planned and not a random collection of individual projects, driven by individuals with specific niche requirements (squeaky wheels or siloed departmental requests). It's a good start.

Tuesday, April 24, 2012

As the nation begins its pilots of pioneer Accountable Care Organizations and shares more data for care coordination and population management, IT departments will be asked to make clinical records available to increasing numbers of loosely affiliated clinicians and staff.

The challenge will be managing the authentication and authorization of a diverse population of legitimate users.

BIDMC stakeholders met this week to discuss best practices for managing distributed authentication while protecting privacy. We suggested three approaches:

1. Use well defined rules to approve new accounts for external organizations in addition to implementing robust audit systems for monitoring account use

As clinical relationships become increasingly complex, it is no longer sufficient to use staff/credentialing privileges as the gating factor for creating accounts with clinical access rights. Organizational legal relationships (agreements signed between entire organizations), chain of command sponsorship (MD leadership at an organization requests access for appropriate clinicians), and patient referral patterns (coordination of care requires specific team member access) are all valid reasons for authorizing users. Since management of accounts across organizations is challenging, it is important to review audit trails via automated and manual methods, enforcing minimal need to know and appropriate clinical data use policies. We already use a variation of this approach for those external clinicians caring for BIDMC patients who need access to our read-only web-based provider portal.

2. Federated authentication

Although one organization can issue credentials to employees of affiliates, it is challenging to monitor changes in the status of users at outside organizations. What if a clinician's role changes or they leave? If one organization trusts the credentials of another organization, a federated approach can provide more timely oversight of access rights. At Beth Israel Deaconess, we've created a technology that enables EHRs at outside organizations to access records of patients shared in common with BIDMC - the "magic button". A trusted associated organization manages clinical access to its own systems, and then grants those authorized users rights to BIDMC records for only those patients registered at the local site and BIDMC. Although comprehensive legal agreements to enable this approach take time to create, the benefit is better account oversight when roles change at outside organizations.

3. State HIE trust fabric

Approaches 1+2 work well for clinician access to provider portals. For State HIE approaches that involve pushing data between organizations, another approach is possible - using certificates to create a trust fabric for the entire community. As part of the Massachusetts HIE infrastructure, we're creating directories and security certificates that enable any provider to securely transmit content to any other provider with patient consent. Processes are created to issue certificates to trusted organizations which sign Data Use and Reciprocal Support Agreements (DURSA). Once the security infrastructure and agreements are in place, any clinician can leverage the community trust fabric, using their existing EHRs and organizational credentials, to send data to another clinician.

Accountable Care Organizations and integrated delivery networks have the challenge of sharing more data at the same time that the regulatory/compliance environment requires greater security. These three approaches are all useful tactics for the authentication and authorization management improvements we will all have to make in the months ahead.

2. Recommend that the National Library of Medicine is the optimal organization for doing content review of value sets, offering feedback to value set and measure developers.

3. Recommend that a government "value set hosting entity" distribute all the necessary vocabularies and code sets, making them available for download or real time query.

For #3, we'll need a body of standards to enable the sharing of value sets. From our investigation thus far, the Common Terminology Services (CTS) family of standards seems like the leading candidate to enable automated exchange of vocabulary resources.

What is CTS?

It is the work of some 20 years, merging early terminology services work (Pathak, et al; LexGRID, JAMIA) and the 3M/Intermountain work into the LexGrid environment . It has evolved through three standards organizations CTS1 (in HL7 and ISO) and CTS2 (in the Object Management Group). It is now an industry standard through OMG.

What does it do?

The core principle is that we should not have different ways (Custom programming, REST protocols, SPARQL queries , etc) of accessing terminologies. CTS2 is a unifying access method for terminologies, and ontologies that is an Application Programming Interface (API) specification, and easily deployed through REST or SPARQL queries. It supports things as simple as word/code pairs, and full ontologies such as OWL. It forms the backbone of the National Center for Biomedical Ontologies (NCBO) and earlier versions of at the National Cancer Institute LexEVS services. General Electric has adopted it, as the core terminology services in their work with Intermountain Healthcare (Huff et al). The specification is public and an open-source reference implementation will soon be available. Any company or group is free to establish as CTS2 service.

NLM is working on CTS2 support for its terminology services.

Although you may not have heard of CTS, it will be an important mechanism for EHRs to download and query the curated vocabularies and code sets required for Meaningful Use in 2014 and beyond.

Friday, April 20, 2012

In their first week of life, chicks need a brooder temperature of 95F. Every week thereafter, the temperature is reduced 5F so that by 6 weeks they're at room temperature (70F) and ready for life in an outdoor coop.

Here's the engineering challenge - how do you make an infrared heat lamp secure (so that it does not fall into the brooder and start a fire), yet infinitely adjustable so that it be can be raised and lowered easily to adjust the temperature?

The answer - a locking, ratcheted pulley system.

I secure my racing kayak to my Prius roof rack using the Thule Quick Draw which includes a carabiner, S-hook, and rope ratcheting pulleys.

Now, our heat lamp is secured to an overhead pipe via 8 feet of nylon rope and a ratchet. Just pull on the rope to securely raise the lamp - it cannot fall. To lower, release the ratchet button.

I have a digital thermometer inside the brooder as general guidance, but watch the chicks behavior for a more accurate assessment of their comfort. If they are clustered together for warmth, I lower the lamp two inches. If they are separated and hiding in the corner of the brooder to cool down, I raise the lamp two inches. At this point, they're eating, drinking, and peeping comfortably - a glorious first week of chicken life.

A safe, easy to adjust brooder heat control using a ratcheted pulley system from my Thule rack. That's cool.

Thursday, April 19, 2012

On Friday, after careful consideration, the BIDMC oncologists elected not to treat Kathy because her side effects from Paclitaxel (Taxol) were so severe - increasing pain and numbness in her hands and feet. She cannot hold a pencil, use a paintbrush, or eat with chopsticks. She has to nap mid day because of fatigue caused by constant neuropathic pain. Thus far, the Vitamin B6 has not helped and her clinicians recommended Gabapentin (Neurontin) to reduce the discomfort. She's not enthusiastic about masking symptoms. She'd prefer to monitor her body's progress objectively.

Kathy's attitude toward cancer treatment is aggressive - "poison me today for a cure tomorrow". She can accept short term pain for long term gain. The problem with neuropathy is that it may be permanent. She admits that permanent loss of her ability to create art or feel the difference between silk and sandpaper is challenging to accept.

Tomorrow, her clinicians will evaluate her progress and consider several options:
*Stop chemotherapy and await the results of the April 25 imaging studies. She may already be treated sufficiently
*Continue chemotherapy with an agent similar to Paclitaxel called Docetaxel (Taxotere)
*Stop the entire class of Taxane therapies and return to a cycle of Adriamycin/Cytoxan since that seemed to work so well in her early therapy

There are many possibilities and we're confident that all will be well.

Last Saturday we visited the Erikson Grain Mill, a family operated supplier of feeds for chickens, horses, and other farm animals. As luck would have it, a customer just cancelled their order for six Araucana/Ameraucana chicks (photo above). Moments after we arrived another family offered to adopt them, but we had already made up our minds. On Saturday at 2pm we became chicken farmers. Our young hens are enjoying the warmth and security of their new brooder (a Rubbermaid 37 gallon storage container), infrared lamp, and feeder. While at Erikson's we ordered the remainder of our 2012 coop population - 2 Buff Orpingtons, 2 Brahmas, and 2 Jersey Giants.

There's one other addition to our property that will begin life in our coop but then free range - Guinea Fowl. I've had Lyme disease twice and the Guinea Fowl are well known tick eaters. They'll start in our brooder for 6 weeks, live in the coop for 6 additional weeks, then we'll let them free range over our 15 acres, training them to return to the coop at night for safety.

Although Kathy's hands and feet are numb, she's very capable of caring for the new additions to our lives. Our move preparations are nearly complete so she can turn her attention to our next life phase. It's much more enjoyable to design the ideal coop for a small flock of chickens than to focus on the short term disability caused by cancer treatment. There are even a few chick brooder engineering problems for me to solve. More about that in tomorrow's post.

Wednesday, April 18, 2012

The April HIT Standards Committee included a comprehensive review of the Standards & Certification Criteria Notice of Proposed Rulemaking (NPRM) by each workgroup/task force/power team during a 5 hour marathon session. The capstone of the meeting with a thematic review of the entire NPRM by the Patient Engagement Power Team.

§ 170.314(b)(3) E-prescribing
The NPRM requires NCPDP Script 10.6 for content and RxNorm as the vocabulary. We also recommended that HL7 2.x be allowed for the highly constrained use case of pharmacies located within a hospital as part of an organized healthcare arrangement, since such interfaces are widely implemented today.

§ 170.314(b)(3) Demographics
The NPRM requires OMB standards for race and ethnicity, ISO 639-1 subset of 639-2 for language and ICD10 (not ICD10-CM) for Cause of Death, which has been used by government to code cause of death since since 1999. We noted that ICD-10 CM has been delayed and recommended it be removed entirely from the NPRM. We recommended that the HIT Policy Committee consider the use of ISO 3166-2 if country of birth is a desirable data element. We also considered the use of a more granular race/ethnicity code set such as CDC, but deferred this to the next edition of Meaningful Use.

§ 170.314(a)(4) Vital Signs and other observations
The NPRM does not require any standards in this area currently. We referred to the September 2011 vocabulary and code sets recommendations and suggested that ONC specify LOINC for specific study name, SNOMED-CT for appropriate findings, and UCUM for specific units of measure for all structured observations including vital signs. We also suggested that patient experience, such as pain scales, be recorded using LOINC for assessment instruments and SNOMED-CT for appropriate responses.

§ 170.314(a)(5) Problem Lists
The NPRM requires SNOMED-CT for problem lists. We recommended that the HIT Policy Committee consider the use of a field that represents an administrative categorization of the visit/billing diagnosis to support secondary uses of data but did not make a specific standards recommendation.

§ 170.314(a)(8) Clinical Decision Support
The NPRM specifies the use of the "Infobutton" standard. We recognize that clinical decision support includes access to educational materials, alerts, and reminders. We felt that a functional description of capabilities rather than a specific standards requirement would best achieve the policy goals. We made "Infobutton" optional, not a certification criteria, to encourage its adoption but also enable innovation.

§ 170.314(a)(17) Electronic Medication Administration Record
The NPRM does not constrain the technological approach to ensuring the right medication is given to the right patient via the right route at the right dose at the right time. The NPRM specifies the use of NTP to synchronize clocks. We agree that the technology for EMAR should not be over specified, enabling innovation.

§ 170.314(e)(2) Clinical Summmaries
The NPRM specifies the use of Consolidated CDA and several vocabularies (OMB Race/Ethnicity, ISO 639-1 subset of ISO-639-2 for language, SNOMED-CT for problems, LOINC for labs, and RxNorm for medications). We recommended that ICD-10 PCS be replaced with SNOMED-CT for procedures, completing our recommendation to remove ICD-10 CM and ICD-10 PCS entirely from the NPRM.

§ 170.314(a)(14) Patient Lists
The NPRM provides a functional description of capabilities rather than a standard for the generation of lists of patients matching specific clinical criteria. We noted that no current standard exists to transmit lists of patients in batch to registries and repositories, although this is desirable for the next edition of Meaningful Use.

§ 170.314(a)(16) Patient Education
The NPRM requires Infobutton. As with Decision Support, we recommended that Infobutton be an optional standard, not required for certification.

§ 170.314(b)(1) and § 170.314(b)(2) Transition of Care Summaries
The NPRM specifies the use of Consolidated CDA and several vocabularies (OMB Race/Ethnicity, ISO 639-1 subset of ISO-639-2 for language, SNOMED-CT for problems, LOINC for labs, and RxNorm for medications). It also recommends the use of the Direct implementation guide, XDR/XDM, and optionally SOAP for transport. We had a robust discussion about the parsimonious approach to transport. We concluded that the best approach would be to require the Direct implementation guide and encourage the use of XDR/transport standards of NwHIN Exchange by listing XDR and the S&I Framework Implementation Guide for NwHIN Exchange transport as optional, not certification criteria. This was truly an achievement - we succeeded in specifying one transport standard requirement for every EHR. Wes Rishel made an important point about the need to support "bilateral asynchronous upgrades" - the notion that different versions of transport Implementation Guides might be used over time by senders and receivers. We have to be very careful to ensure backward compatibility as our transport standards evolve.

For the remaining NPRM sections, we worked by the principle of consent unless otherwise noted by standards committee members.

§ 170.314(e)(1) View, download, and transmit to 3rd party.
We recommended that patient download capability be required to use Consolidated CDA as a minimum. We noted that TLS is an example of a means to secure the transmission channel but also recognized other approaches are possible. We recommended functional criteria for securing endpoints rather than a named standard.

§ 170.314(d)(2) Auditable events and tamper-resistance.
We noted redundancy in the NPRM - audit logs cannot be modified, but there is a need to detect modification. We also recommended that ASTM E2147 be used as a list of audit log data elements.

§ 170.314(a)(13) Family History
The NPRM does not require a specific standard. We concur that no standard is widely implemented today, although the Surgeon General's XML for family history has been used more than the HL7 pedigree standards.

§ 170.314(f)(7) and § 170.314(f)(8) Cancer Registry Reporting
We noted that the CDA Cancer Registry standard is not deployed in production. We also noted that this refers to a menu set item, so it is not a general requirement of EHR certification. It is a reasonable early standard for oncology specific EHRs.

§ 170.314(c)(1)-(3) NQF Quality Data Model
We noted that additional work on the Quality Data Model will be needed to ensure it aligns with all the other recommendations we made at today's meeting. We also noted that QRDA Category II and III are not yet balloted standards.

The Standards Committee reaffirmed its acceptance of all these recommendations by consensus. A remarkable achievement.

Our next process step is to draft and review a final transmittal letter to ONC, which we'll do over the next few weeks.

The HIT Standards Committee is such an effective group with amazing expertise and camaraderie that today's meeting was a perfect storm moment. This is definitely a time we'll all be telling our grandchildren about.

Tuesday, April 17, 2012

Meg Aranow, the former CIO of Boston Medical Center and now a principal at Aranow Consulting recently assembled several of the IT leaders in Boston to discuss opportunities for reducing costs and enhancing infrastructure by pooling our collective resources. Here's her guest post describing the exploration:

"I recently met with IT leadership from Partners Healthcare, Childrens Hospital Boston and Beth Israel Deaconess, all teaching affiliates of Harvard. The topic around which we convened was to discuss the idea of a collaborative datacenter.

With the potential upside of staffing and procurement efficiencies stipulated as a launching point for the discussion the conversation turned to what it would take to make it happen.

There were issues of (very) long term lease obligations, the cost of re-routing communication lines and the daunting spectra of demanding SLAs.

Clearly all of these challenges could be met by the combined IT talent…given a solid business case, time and resources. But it was also clear that given all of the demands IT departments are already facing – several of which are federally sponsored - this particular business case would have a hard time swimming to the surface.

Although I had been ready to engage in a vibrant discussion about competing business priorities, there was a vibe that nothing short of either fortuitous opportunity (i.e. the coincidental conclusion of independently negotiated leases) or a mandate would get enough attention to even be debated. The business case we built would have needed to be great, not just good or promising.

I am not sure if a collaborative datacenter is a good, never mind the best, idea. But the more general observation is that the current climate makes it difficult to devote resources to the exploration of new ideas. Most of hospital IT is consumed with 1) the day-to-day support and tweaking of what already exists and 2) projects in support of the legally mandated future initiatives.

We concluded the meeting thinking it might be an interesting idea to some day explore if there were time. But not now. "

Thanks for doing this Meg. In a world of infinite demand and limited IT supply, all CIOs feel "time bankrupt". The alignment of opportunity, regulatory mandate, cost pressures, politics, and prioritization is definitely a perfect storm that occurs only rarely.

Monday, April 16, 2012

Kathy and I move from our current house to our farm on April 27, so we have just one weekend of packing to go. Nancy P from Dallas posted a spectacular comment that is so accurate and timely I had to share it broadly:

"K. and J. - You may enjoy my 30 day packing calendar, written from my experience.

DAYS 1-5: We are lovingly admiring and discussing each of our material possessions while discarding what we no longer use. We’ll have a garage sale and make trips to Goodwill to donate unused items. I’ll wash, dry and organize objects to be sold or donated. We have plenty of boxes, bubble wrap, Sharpie pens and packing tape. Boxes are organized in categories based on their contents. We write a detailed list of the items in the right-hand corner of the top of the box and carefully seal it with packing tape.

DAYS 6-10: It is not realistic to cull through all of our belongings in 30 days. We’ll cull and reflect when we unpack. We’ll also have a lot more time when we unpack to plan a garage sale or make trips to Goodwill. A detailed list of contents of each box is not needed, so all boxes are now labeled only with a general category in the upper right hand corner. I’m segregating my son’s possessions so he can go through them himself. Things are starting to look a little messy around here. I need a GPS to locate that cup of tea I keep misplacing!

DAYS 11-15: It is increasingly unproductive to sort and categorize items before boxing them. So with the miracle of bubble wrap, we’ve taken a new approach: We can simply dump the contents of an entire drawer in bubble wrap, stuff the bubble wrap in a box, and label the box with the location of the drawer, like 'Master Bathroom: far left cabinet, third drawer down.' We’re able to safely pack in bubble wrap the entire contents of drawers and closets in no time at all. We’ll just sort and categorize the contents of these boxes when we unpack.

DAYS 16-20: Bubble wrap is overrated. You can only fit about ½ as much stuff in a box when you use it. And it takes forever to cut the size you need. Plus - you pack items between the bubble wrap layers, and many of these things will fall out from the layers and break as you unpack, so what’s the point? I’m trying to be more pragmatic. After all, these are only material possessions. As Bertrand Russell so eloquently stated 'It is preoccupation with possessions, more than anything else, that prevents men from living freely and nobly.' And as I so freely and nobly state 'Do we really need two full sets of martini glasses, anyway?'

DAYS 21-25: Rather than box up and move things of value that we don’t want, we will simply leave them behind for the new proprietors. I doubt the new owners will mind that we leave them items with inherent use and value - like that 30 pound Folgers coffee tin full of nuts and bolts in the garage. The value of the nuts and bolts aside, the tin itself is an antique. And we haven’t even opened those tubs of frozen yogurt in the freezer, which would make a thoughtful housewarming surprise. We’ve also learned that we don’t need to tape every box, because they are just being stacked on top of each other, so we only need to tape the top one.

DAYS 26-30: The realtor stopped by and declared that we can’t leave anything behind for the new owners. 'It all has to go,' she said with that little smug look that I have grown to dislike. So all the rest of this stuff is going out on the curb, and whoever wants to pick it up can have it. And if my kid wants his things…well…he’ll just have to come get them, or they will also be out there with the rest of our clutter. How did we accumulate all of this worthless stuff? What could we possibly have wanted with 73 packets of soy sauce? The realtor also found my misplaced cup of tea somewhere in the front hall. I did not appreciate the face she made; very unprofessional, if you ask me. And by the way, you do need to tape up each and every box –but I’ll spare you the details - and before I tape up my next box, I’m just throwing the Sharpies in there with them. Because at this point what am I going to write in corner of the box, 'Lots of other crap'? I’m overwhelmed…I really need to take a break…Damn it, I packed the martini glasses!"

Although I've never owned a martini glass, we'll be in Days 26-30 next weekend and I suspect I'll need one!

Friday, April 13, 2012

I've written several posts about BIDMC's use of "private cloud" approaches to host electronic records and gather community-wide quality data. Healthcare organizations have avoided the use of "public cloud" because of HIPAA/HITECH privacy concerns, lack of breach indemnification/data integrity guarantees, and the unwillingness of many cloud providers to sign business associate agreements.

CDC is the first government agency to complete all the rigorous certification needed to host sensitive data in the public cloud.

CDC has also built gateways that make it easy for public health departments to submit data to the cloud - a Direct Project adapter, an NwHIN Exchange adapter, and others. Meaningful Use Stage 1 requires the testing of health information exchange with public health and Beth Israel Deaconess did its transactions with the Boston Public Health Commission (BPHC), which stored them in CDC's public cloud. BPHC was the first public health department in the nation to provide data feeds to the Amazon infrastructure.

Finally, CDC has enabled queries of the cloud data using multiple platforms including open source analytical tools such as R.

A secure, HIPAA-compliant public cloud that includes healthcare information exchange gateways and analytical tools. That's cool!

Thursday, April 12, 2012

Although Kathy's body is sore and her hands/feet are numb, her mood is good as we finalize our house sale, pick out the chickens we'll raise on the new farm, and prepare for the life ahead instead of looking back on our old life and the events of the past 5 months.

She lost her last eyebrow hairs this week and the toenails on her big toes will likely fall off soon. She cannot open jars or water bottles because of diminished grip strength and today she visits the orthopedist for followup of her probable right knee medial collateral ligament tear. But she's happy.

Just 4 more treatments of Taxol and then hopefully Kathy's weakness/numbness will resolve as we move onto surgery and radiation.

Milestones ahead - films/orthopedic examination today, MRI of the breast on April 25 to determine if any detectable tumor remains, then a breast surgeon appointment on May 31. Although lumpectomy is a long shot and mastectomy is likely, Kathy's response to chemotherapy has been so good, that there's a possibility for minor rather than major surgery. We'll know by June, just about the time our chickens will be old enough to enjoy the long Summer days outside in our meadow.

The principle behind Clinical Query is that investigators will want to ask questions, preliminary to research, that will help them understand the potential statistical power of a clinical trial or the availability of data for clinical research.

What did we do?

We loaded 2.2 million patients (1997 to the present) and 200 million data elements into a repository, ensuring that every data element was mapped to a controlled vocabulary. When then built a web-based query tool capable of navigating 20,000 medical concepts via boolean (AND/OR) expressions of arbitrary complexity.

Labs were mapped to LOINC codes.

Problems/Encounter Diagnoses were mapped to SNOMED-CT codes.

Medications and Allergies were mapped to RxNorm codes

Demographics were mapped to the same code sets required for Meaningful Use.

The result is that any authorized user, who has completed our institutional HIPAA training, can run real time population queries.

For example, since my wife has Breast Cancer and has taken Ace Inhibitors, maybe I want to study the association of the two and I need a cohort of potential subjects. The query from start to finish took 3 seconds and yielded 2421 +/- 3 patients.

Why +/- 3?

We never report the exact number to ensure that the privacy of individual patients is protected since I could create a query so arcane that it identifies a single individual. The fictional example I've used in lectures is: "my neighbor has one blue and one green eye. Show me the count of all blue-eyed, green-eyed people taking mental health medications." A count of 1 could be disclosing. By adding arbitrary numbers to every result we ensure that population queries remain ambiguous.

Additional data extraction that would be used as part of offering a clinical trial or clinical research opportunity to a patient does require IRB approval.

Many novel explorations are possible such as the fact that 80,000 patients had ischemic heart disease and no history of Vioxx use, while 800 patients had ischemic heart disease and took Vioxx, which was withdrawn from the market in 2004 because of concerns about increased risk of heart attack and stroke with long-term, high-dosage use. Clinical Query can help investigators explore the temporal relationship between the introduction of Vioxx and the frequency of ischemic heart disease.

What if the QueryHealth initiative could access I2B2 connected data sources, such as enabling pharmaco-vigilance queries from the FDA to be broadcast across the country?

We can best protect privacy by keeping all our patient identified data inside our data center and responding to external queries from payers, government agencies, and public health with aggregate numbers. Reporting on the number of patients taking Vioxx and the number of patients presenting with chest pain without submitting patient identified data to external registries minimizes risk.

We'll explore the intersection of QueryHealth and I2B2 at BIDMC in the upcoming months and I'll write about that, just as I wrote about our PopHealth lessons learned.

I've written about our efforts to Free the Data and create a learning healthcare system. Today marks a milestone for enabling our data to be explored with Clinical Query while protecting the security and integrity of our enterprise registries and repositories.

Tuesday, April 10, 2012

Today, my team presented a list of risks to the Compliance, Audit and Risk Committee at BIDMC. Here's my list of top risks for 2012:

1. Old Internet browsers - many vended clinical applications require specific versions of older browsers such as Internet Explorer 6, which are known to have security flaws. We've worked diligently to eliminate, upgrade or replace applications with browser specificity. At this point we are 96% Internet Explorer 8/Firefox 7/Safari 5 minimizing our risks to the extent possible.

2. Local Administrative rights - Of our 18,000 devices on the network, a few thousand are devices that require the user to have local administrative rights to run their niche applications (often the research community doing cutting edge research with open source or self developed software). We have done everything possible to eliminate Local Administrative rights on our managed devices.

3. Outbound transmissions - Security has historically focused on blocking evil actors from the internet. Given the current challenges of malware and infections brought in from the outside, it's equally critical to block unexpected outbound activity.

4. Public facing websites - any machine that touches the internet has the potential to be targeted for attack. We've implemented proxy servers/web application firewalls on most public websites.

5. Identity and Access management - Managing the ever changing roles and rights of individuals in a large complex organization with many partners/affiliates is challenging. If an affiliate asks for access to an application, how do you automatically deactivate accounts when users leave an affiliate, given the lack of direct employment relationships?

6. Anti-virus - the best anti-virus applications only catch about 50% of malware. Thus, a multi-layered defense is required. However, adding all those layers impacts performance and can result in false positives. Balancing security, reliability, and performance is challenging.

7. Security awareness - When that phishing email arrives asking users for their username/password, social security number, and a DNA sample, some people still fall for it. Many users surf sites that are known virus distribution sites. Even social networking is a vector for malware.

8. Keystroke loggers and screen scrapers - mobile devices and home computers beyond IT control may contain keystroke loggers that capture user credentials, bypassing encryption, VPNs, and other layers of security.

9. Forensics - increasingly sophisticated security infrastructure implies more events to research which requires additional staff that are challenging to find, recruit and retain.

10. Third party desktop software - it's no longer the operating system that presents the greatest risk, but security holes in Java and Adobe products such as Flash.

Security is journey and you'll never be done. The hope is that your risk profile improves over time as more of the environment is locked down, creating a restrictive rather than permissive infrastructure which makes services available by exception to the minimum extent necessary while balancing security and ease of use. As I've said before, this is a Cold War at a time when Meaningful Use encourages more data sharing and breach reporting/regulatory penalties are increasingly severe. All you can do is your best, given fixed resources and time. And try to get some sleep.

Some clinicians are receiving Medicare penalties/fee reductions even though they have achieved the much more rigorous Meaningful Use requirements.

The Medicare Electronic Prescribing Incentive Program and Meaningful Use are two separate initiatives with two separate requirements, although both promote the use of electronic prescribing through the use of incentives and payment adjustments.

The Medicare Electronic Prescribing Incentive Program promotes electronic prescribing by requiring that an eligible professional report the electronic prescribing activities using G-codes in billing claims for 10 encounters per year.

Beginning 2012, Congress authorized payment adjustments for clinicians who did not become successful electronic prescribers under the Medicare Electronic Prescribing Incentive Program . The 2011 Medicare Physician Fee Schedule outlined the requirements to avoid the 2012 payment adjustment. Eligible professionals were required to report the electronic prescribing measure using the G8553 g-code via claims for at least 10 unique visits where the clinician generated an electronic prescription from Jan. 1, 2011 – June 30, 2011.

Since Meaningful Use does not require claims-based reporting of e-prescribing, it is possible that clinicians could have achieved Meaningful Use but still been subject to the 2012 eRx payment adjustment.

Clinicians cannot receive incentives under both programs, but they can be penalized under the Medicare Electronic Prescribing Incentive Program. The AMA produced a useful guide to incentives and penalties.

The Medicare Electronic Prescribing program applies to 2013 and 2014 and then will end. Thus, make sure you enter your G-codes for 10 encounters that included e-prescribing even if you have attested for Meaningful Use. That way, you'll avoid the penalties.

This project will help us all understand the alignment of healthcare informatics efforts, organizational strategy, and business alignment. If this first iteration goes well, Deloitte and AMIA hope to make it an annual survey, opening it to a wider audience that includes public health, government, and perhaps making it global in scope.

I completed it on behalf of BIDMC and look forward to the results. As you can imagine, I said that informatics is critically important and needs more institutional funding!

Thursday, April 5, 2012

Kathy returns to chemotherapy tomorrow although the numbness in her hands and feet has not changed and she now has a probable tear of a ligament in her right knee, which gives new meaning to limping through her treatments.

Many people responded to my March 29 post with concern that Kathy and I might lose our optimism, given all the events happening in our lives simultaneously.

We have two responses to the events that life throws at us

1. First, we have the support of each other. We have not been apart more than a few days for past 32 years and have the same passion, infatuation, and mutual respect for each other we had on day 1.
2. Second, we believe that everything happens for a reason.

We do not follow any formal religion, although I was baptized a Catholic and Kathy was raised in a Methodist household. We have great respect for the world's religions and feel a special affinity to the Japanese Shinto believe that there is spirituality in every rock, tree, and mountain.

However, we do have a sense that some karmic force guides us on the path of life. We've had many high highs and an equal number of low lows. At the time, we had no idea why the bad things happened, only to discover later that they changed our path to enable an even greater positive event.

Before Kathy's cancer diagnosis, we were looking at Vermont farm property, realizing that it would be challenging to juggle our full time careers in Boston and life in Vermont. We were willing to consider a Boston apartment during the week and rural Vermont on weekends.

The cancer diagnosis made us realize that we needed to be close to Boston for treatment and stay together in a single location all week long.

Our attention turned to property in Sherborn and Harvard, MA. We bid on one property in Sherborn and the seller decided not to sell. We were disappointed at the time, but the challenge enabled us to find an even better, more suitable property that we've agreed to purchase. We move April 27.

Our Wellesley home was the subject of many inquiries even before it was listed. We accepted one offer, but they buyers had bid on two properties and decided to purchase another home. Again, we were disappointed but we kept preparing our home for the best open house possible. We received several offers on the first day and we believe that following the standard listing process, instead of a pre-sale, will be a better outcome for everyone.

It seems odd that cancer would lead us to a farm in Sherborn and a good sale of our existing Wellesley home, but it did.

Kathy will be cured, I'm confident of that, so this series of events, however painful and stressful, will make us stronger and even better poised for the future.

So tomorrow, we'll continue with the chemotherapy, documenting the numbness and the side effects. Next week, Kathy will see an orthopedist for a probable medial collateral ligament tear. And we'll finish the inspections and contingencies that are part of selling our home.

Everything happens for a reason. By Summer, we'll be transitioned to our new life and will finally appreciate the reasons behind the path that we're traversing.

Nearly half of employees report the overwhelming stress and burden of their current jobs, not based on the hours they work, but the volume of multitasking - too many simultaneous inputs in too little time. They've lost the sense of a beginning, middle, and an end to their day, their tasks and their projects. There is no work/life boundary.

As a case in point, I'm writing now while doing email and listening to a Harvard School of Public Health eHealth symposium. Am I being more productive or just doing a greater quantity of work with less quality?

The author of the post points to evidence that multi-tasking increases the time to finish a task by 25%. He also notes that our energy reserves are depleted by a constant state of post traumatic stress induced by our continuous connectivity.

He suggests three strategies

1. Rather than multi-task, reduce meeting times to 45 minutes, leaving 15 minutes for email catchup and transition.

2. Do not expect and do not support the notion that email should be a real time activity.

3. Take breaks and ensure there are boundaries between work and non-work activities.

He suggests three personal best practices

1. Do your most important task of the day without interruption first thing in the morning. That's what I've done for years.

2. Create specific dedicated time for long term, creative thinking.

3. Take vacations.

A great post. Unless all of us declare that the multi-tasking emperor has no clothes, continuous partial attention will only get worse.

Tuesday, April 3, 2012

Hospitals and eligible professionals are attesting to Meaningful Use at an accelerating rate. To me, the Stage 1 Menu Set options NOT CHOSEN are the most valuable predictor of the challenging areas in Stage 2, since all the Stage 1 Menu Set items become Core in Stage 2.

At the January HIT Policy Committee, CMS presented an overview of Menu Set items deferred. Interestingly, the items deferred in Stage 1 are those most likely required for successful Accountable Care Organizations and interoperability.

Submitting reportable lab results and syndromic surveillance for Public Health were largely deferred as well.

Since Meaningful Use Stage 2 has a first attestation date of October 1, 2014 with a one year reporting period, EHR vendors must support these functions via certified systems and clinicians should be using these capabilities by October 1, 2013.

Given that the Stage 2 NPRM will be finalized by August, and you'll have one year to fully implement all this functionality, I suggest working now on these Menu Set options not chosen:

1. Work with your EHR vendor to create a summary of care document (C32 for now, Consolidated CDA in 2013) and partner with your state HIE or other vendor to send these summaries to stakeholders such as primary care providers.

2. Work with e-prescribing networks and your EHR vendor to implement medication reconciliation that leverages outpatient prescription records available from national databases.

3. Work with your EHR vendor and third party knowledge services companies to make patient educational materials available in appropriate languages for your population.

4. Work with your local or state public health department to implement immunization, reportable lab, and syndromic surveilance transactions

5. Work with your EHR vendor to implement patient portals tethered to your EHR or transmission of summary data to non-tethered patient portals such as Microsoft Healthvault.

Robert Frost took the road less traveled and it made all the difference. In 2012, focus on the Menu Set Options Not Chosen and it will make all the difference in your preparations for Stage 2.

Monday, April 2, 2012

1. A longitudinal (not encounter level) patient summary format to transmit appropriate data elements from an EHR to a quality measurement entity
2. A batch reporting format to transmit data elements for multiple patients to a quality measurement entity
3. Although PQRI XML and QRDA have been suggested for reporting data between quality measurement entities and organizations that use this data for payment/compliance, there is not a widely adopted standard for quality reporting in production today.

As I wrote in a wrote in a previous post, ONC/MITRE/BIDMC/Massachusetts eHealth collaborative worked together to evaluate the PopHealth tool with 2 million Continuity of Care Documents.

1. The CCD is a “post-encounter message” not a lifetime clinical summary optimized for quality measurement

The CCD/C32 was designed as an encounter level summary from a single organization. Each patient will have multiple CCD/C32s but there are no well defined process for merging CCDs from multiple institutions and applications. popHealth was expecting each C32 to contain the complete clinical history for one patient since quality measures are often focused on longitudinal treatment of patient, not a single encounter.

2. Meaningful Use Stage 1 permitted multiple vocabularies (or did not specify a vocabulary) resulting in optionality/variability in CCDs

Meaningful Use Stage 2 will correct this problem by specifying one vocabulary without optionality for each portion of the record

3. Quality numerators and denominators are imprecisely defined

Since quality measures are not defined in precise "SQL" or e-measure form, humans have to read the text of the measure and decide how to implement it. For example, does less than or equal to 84 years old refer to 84 years and 0 days verses 84 years and 364 days

Thus, to accelerate quality measurement in the US we should

1. Chose a clinical summary standard for transmission of longitudinal patient care data to quality measurement entities
2. Specify a one vocabulary without optionality for each portion of the record
3. Use e-measurements format to describe numerators and denominators in machine readable logic

If we do this, we'll be able to widely deploy popHealth to automatically calculate quality measures on data exchange from EHRS. We'll also be able to more effectively use architectures like QueryHealth that submit questions to the data rather than aggregate the data into a central quality measurement entity.

The Standards Committee is already hard at work on all these standards.